Securing Next Generation Carrier Networks Vishak Raman - Regional Director – SAARC.

Securing Next Generation Carrier Networks Vishak Raman - Regional Director – SAARC

Fortinet Confidential

Protecting the Service Provider’s Infrastructure

MOBILENETWORK

RADIUS SERVER

GGSN

SGSN

2Protecting the customer (Managed Security Service Provider)

Subscriber Network

Subscriber Network

Subscriber Network

1

Two discrete solutions for Service ProvidersTwo discrete solutions for Service ProvidersTwo discrete solutions for Service ProvidersTwo discrete solutions for Service Providers

Security Solutions for Service Providers


Managed Security Services


MSS Drivers

DriversDrivers

Domestic RegulationHuge SME uptakeConcerns over ConfidentialityReducing cost & fulfilling corporate requirements

Inhibitors

Perturbations in Financial Markets Lack of Investments in Regional SOCs Localization of Support

Key SuccessFactors

Key SuccessFactors

Service Expertise Quality of Service Cost Reduction Relationship window


APAC MSS Landscape

Integrators

Telecommunication/Wan ProvidersTelecommunication/Wan Providers

Pure-Play

Inclusion Criteria > 150 customer FW/IPS/Web/Mail GW in APAC Or 50 Customers in APAC

HQ or Major RO in APAC

Channel presence in 2 of 6 APAC Regions

2 reference accounts to Gartner


APAC MSS Pointers

Market Growth Rate in 2009

Number of devices 24%

Client Base 16%

Deal Size APAC EMEA<$150K 57% 12.5%

Between $150K and $750K

30% 25%

Between $750K and $1.5M

_______ 25%

>$1.5M _______ 37.5%

Type No of Devices in 2009

CPE ( Customer Premise) 20,010

ITC (In The Cloud ) 2,760

Beyond “Device Management”


NOC/SOC

CPE / Client Based MSS

7

Internet


Cloud Based Services

• Per Customer Virtual Domain▪ Application Control▪ Web Filtering▪ AntiVirus / AntiSpyware▪ Data Leak Prevention▪ AntiSpam▪ Intrusion Protection▪ VPN (IPSec / SSL)▪ Firewall▪ Dynamic Routing

8


Access Layer Virtualization Services

Virtualized Secure Remote Access Service to End Users in Public (IPSec / SSL)

- Virtualized Firewall catering to Virtual Network

- Independent Access Policies

- Virtualized IPS Sensor Policies

- Added advantage with Application control

Protecting VoIP servers and connections from Threat and targeted DoS Attacks

ACCESS CONTROLSecure Authentication and Access

vUTM services in Select Markets


Virtualization in FortiGate

Super Admin

VDOM Admin

FortiGate Hardware

FortiOS

Firewall

VPN(IPSec/SSL)

IPS / App Ctrl

WCF / G AV

Routing

VLANs

Firewall

VPN(IPSec/SSL)

IPS / App Ctrl

WCF / G AV

Routing

VLANs

Individual VDOMs

. ..

Root VDOMM

GM

T

MG

MT

Firewall

IPS / App Ctrl

WCF / G AV

Routing

VLANs

VPN(IPSec/SSL)


Dynamic Security Profiles


Provides an authenticated bypass of the Service Restrictions Within a domestic environment

Both end-points (users) are behind the same NAT boundary Clientless solution to differentiate access – no software to ‘hack’ Parental control is maintained

DSL

Home user 1(Adult)

NAT

DSL

Home user 2 (Child)

Dynamic Security Profiles- In Home Parental Control*

DYNAMIC SECURITY PROFILES


*FortiOS Carrier 4.1

www.badsite.com


• Per end-point Black / White List− End points (users, MSISDN) can have their own black white list− No requirement for end user to access FortiGate infrastructure

• Can be populated on Self Service Portal• Dynamically configured on FortiGate as end points attach

− RADIUS VSA Extension, no fixed limit for URLs

DSL+3G

RADIUS

Dynamic Security ProfilesEnd-Point customisation



Self ServicePortal

*FortiOS Carrier 4.2www.badsite.com


Infrastructure protection


Mobile Operator Threat Evolution

Pre-IMS IMS

voice

SMS

VOIP

Media

IPTV

IMMMS

Rapid ApplicationDeployment

Web

Web


Security Considerations – What?

InterrogatingCSCF

InterrogatingCSCF

ServingCSCF

ServingCSCFFixed

Wireline

WifiWiMax

MobileWireless

ProxyCSCFProxyCSCF

App ServerPresence / IM App Server

Presence / IM

IPNetwork

App ServerPush-to-talk App Server

Push-to-talk

App ServerETC…

App ServerETC…

IPNetwork

SIPSIP

IMS SIPCore

IMS SIPCore

h.248h.248

DIAMETERDIAMETER

PDFRACSRACF

PDFRACSRACF

CarrierPeer IP

Network

A-BGFA-BGF I-BGFI-BGF

I-BCFI-BCF

PSTNMedia

GatewayMedia

Gateway

h.248h.248

SIPSIP

SIPSIP

SIPSIP

MediaMedia MediaMediaMediaMedia

FortiGateFortiGate

Access-Voice Security moves all the way to the handset

-Encryption/Compression/Authentication (open up payload)-IPS capabilities (msg flood, header tampering)

- Network Denial of Service-Antivirus

-Same HTTP/SMTP offerings as pre-ims at Internet Egress

Applications-Rapid app delivery

-Host Attacks

Peering-Open Internet (Traffic Anomaly)

-IPS (msg flood, proto conformance)-QoS-VPN

-Antivirus-Protocol translations (L3 and L4)

-NAT ALG services-Overlapping Subnets-Virtualization per peer

Handsets-FW/VPN/IPS/AV


FortiOS Carrier Security Highlights

Dynamic Profiles Per user services via a RADIUS API Protection Profile derived from RADIUS record

Session Initiation Protocol (SIP) Security Stateful SIP tracking, Malicious SIP message protection , SIP Rate Limitation SIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability

Multimedia Message Service (MMS) Security Antivirus, Antispam/Antifraud, Antiphising (via Web Filtering) Sender and Admin notification

GPRS Tunneling Protocol (GTP) Firewall 3GPP 29.060 version 6.9.0, including Overbilling Protection Protocol Anomaly Checks, IMSI/APN/IE filtering

Dynamic Profiles Per user services via a RADIUS API Protection Profile derived from RADIUS record

Session Initiation Protocol (SIP) Security Stateful SIP tracking, Malicious SIP message protection , SIP Rate Limitation SIP Transparent or SIP NAT mode, IP Topology Hiding, RTP Pinholing Geographical Redundancy, SIP Stateful High-Availability

Multimedia Message Service (MMS) Security Antivirus, Antispam/Antifraud, Antiphising (via Web Filtering) Sender and Admin notification

GPRS Tunneling Protocol (GTP) Firewall 3GPP 29.060 version 6.9.0, including Overbilling Protection Protocol Anomaly Checks, IMSI/APN/IE filtering


• Global presence with 30+ offices worldwide• 5,000+ channel partners• 500,000 units shipped worldwide • 75,000+ customers (including the majority of the

Fortune Global 100)• 1,200+ employees• IPO Nov 2009 – FTNT• Consistently strong sequential growth• Profitable: $259+ million cash balance & cash flow

positive

Fortinet: An Established Security Vendor


Security Vendor of The Year in APAC

• Fortinet awarded 2010 Security Vendor of the Year by Frost & Sullivan for Asia Pacific

• Competitors: Juniper, Check Point, Cisco

[…] an achievement that was undoubtedly driven by the foresight of Fortinet in expounding and leveraging on the rapidly emerging trend of technology convergence.

The combination of effective go-to-market and product strategies was pivotal in cementing Fortinet’s position as a major player in the network security market in the Asia Pacific region.

Edison Yu, Asia Pacific Information & Communication Technologies Practice, Frost & Sullivan

””

““

““

””


Fortinet High-End Traction

20

International UTM Revenue Share, 2009$50,000-99,999 Price Band

Source: IDC Worldwide Security Appliance Tracker, Q3 2009*International = Western Europe + Japan +Asia Pacific

Fortinet Secures:

• 7 of Top 10 Fortune 500

• 5 of Top 10 Global 500 in EMEA

• 7 of Top 10 Global 500 in APAC

• 6 of Top 10 Global 500 Commercial & Savings Banks

• 7 of Top 10 Global 500 Aerospace & Defense

• 2 of Top 5 Global 500 in IT Services


India

2009 UTM Market – 31.26 M$2009 UTM Market – 31.26 M$2009 Security Appliances Market 2009 Security Appliances Market – 85.23 M$– 85.23 M$


Fortinet TelCos/xSPs Customers Success

…and others rely on Fortinet’s protection


Thank You

23

Securing Next Generation Carrier Networks Vishak Raman - Regional Director – SAARC.

Documents

Transcript of Securing Next Generation Carrier Networks Vishak Raman - Regional Director – SAARC.